Digital image forensicsFully automated and open source

Digital image forensics



Image Forensics

Sometime forensic investigators need to process digital images as evidence. There are some tools around, otherwise it is difficult to deal with forensic analysis with lot of images involved.
Images contain tons of information, Ghiro extracts these information from provided images and display them in a nicely formatted report.
Dealing with tons of images is pretty easy, Ghiro is designed to scale to support gigs of images.
All tasks are totally automated, you have just to upload you images and let Ghiro does the work.
Understandable reports, and great search capabilities allows you to find a needle in a haystack.
Ghiro is a multi user environment, different permissions can be assigned to each user. Cases allow you to group image analysis by topic, you can choose which user allow to see your case with a permission schema.

Use Cases

Ghiro can be used in many scenarios, forensic investigators could use it on daily basis in their analysis lab but also people interested to undercover secrets hidden in images could benefit. Some use case examples are the following:

  • If you need to extract all data and metadata hidden in an image in a fully automated way
  • If you need to analyze a lot of images and you have not much time to read the report for all them
  • If you need to search a bunch of images for some metadata
  • If you need to geolocate a bunch of images and see them in a map
  • If you have an hash list of "special" images and you want to search for them
Anyway Ghiro is designed to be used in many other scenarios, the imagination is the only limit.

Alessandro Tanasi

Lead developer . He thinks in terms of architectural design, database relationships and inter processes communications. He strongly belive the core of things(TM) is developed in scripting language.

Alessandro Tanasi - jekil
Marco Buoncristiano

User experience and design architect. He does not sleep until he has killed the last bug . He makes use of a complicated tool an experience easy and enjoyable, like a beautiful dream.

Marco Buoncristiano - burlone
Stable release from git
The stable branch follows the last stable release but provide faster bug fixes, so it is pretty the same of downloading the stable package above. This is suggest only for advanced users. You can download the code with the following command:
git clone https://github.com/ghirensics/ghiro.git git clone https://github.com/
ghirensics/ghiro.git
Stable release package
Latest Ghiro stable release can be downloaded using the button on the right.
Stable package is available in both .zip and .tar.gz format. This is strongly suggested for all users.
Virtual Appliance
The faster way to start playing with Ghiro is to download the Ghiro Virtual Appliance using the button on the right. In few minutes you will have a fully functional Ghiro setup to start to analyze your images.
The ZIP contains an OVA file, you have to import in your virtualization software (like VirtualBox or VMWare) and configure the networking as explained in the README.txt.

Public setup: imageforensic.org

Public setup: imageforensic.org

FULLY AUTOMATED: upload images, get reports, search for a needle in a haystack

FULLY AUTOMATED: upload images, get reports, search for a needle in a haystack

INTRODUCING USER INTERFACE

All Ghiro features can be controlled via web interface. You can upload images, bunch of images, navigate reports, get a quick or deep overview of images analysis.

You can group images in cases, search for any kind of analysis data, search photo near a GPS location, administer users, view all images in the system.

Metadata extraction

Metadata extraction

Metadata are divided in several categories depending on the standard they come from. Image metadata are extracted and categorized. For example: EXIF, IPTC, XMP.

GPS Localization

GPS Localization

Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on a map.


MIME information

MIME information

The image MIME type is detected to know the image type your are dealing with, in both contacted (example: image/jpeg) and extended form.



Error Level Analysis

Error Level Analysis

Error Level Analysis (ELA) identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level, if a difference is detected, then it likely indicates a digital modification.

Thumbnail extraction

Thumbnail extraction

The thumbnails and data related to them are extracted from image metadata and stored for review.


Thumbnail consistency

Thumbnail consistency

Sometimes when a photo is edited, the original image is edited but the thumbnail not. Difference between the thumbnails and the images are detected.

Signature engine

Signature engine

Over 120 signatures provide evidence about most critical data to highlight focal points and common exposures.


Hash matching

Hash matching

Suppose you are searching for an image and you have only the hash. You can provide a list of hashes and all images matching are reported.

We put together a preview of Ghiro 0.2, have a look to new features and user interface.
We belive in open source, automated, scalable, customizable software and beautiful design. We plan image forensics easier than ever. Ready to try Ghiro?

We belive in open source, automated, scalable, customizable software and beautiful design. We plan image forensics easier than ever. Ready to try Ghiro?